topic Re: How to merge rows with a common field? in Splunk Search

How to merge rows with a common field?

ndaniel88 — Wed, 13 Mar 2019 18:49:43 GMT

Hello, I have 1 single table that comes from two different searches/indexes/sourcetypes using append.

I need to join the results using 1 common field (name), in order to have per row all the information that I need.

The table I have is like:

+--------+--------+--------+------+----------+
| Date1 | Date2 | Date3 | name | Doc |
+--------+--------+--------+------+----------+
| Jan 08 |------- | --------- | A1 |----------|
| Jan 08 |------- | --------- | A2 |----------|
| Jan 08 |------- | --------- | A2 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 08 |------- | --------- | A3 |----------|
| Jan 04 |------- | --------- | A4 |----------|
| Jan 09 |------- | --------- | A2 |----------|
|-----------| Jan2 | Jan09 | B1 | KYOM |
|-----------| Jan2 | Jan09 | A4 | UNYT |
|-----------| Jan2 | Jan09 | A1 | AGHY |
|-----------| Jan2 | Jan09 | A3 | POLK |
|-----------| Jan2 | Jan09 | B2 | TYHU |
+--------+--------+--------+------+----------+

And my goal is to end up with something like

+--------+---------+---------+--------+------+
| Date1 | Date2 | Date3 | name | Doc |
+--------+---------+---------+--------+------+
| Jan 08 | Jan2 | Jan09 | A1 | AGHY |
| Jan 08 | Jan2 | Jan09 | A2 |----------|
| Jan 08 | Jan2 | Jan09 | A2 |----------|
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 08 | Jan2 | Jan09 | A3 | POLK |
| Jan 04 | Jan2 | Jan09 | A4 | UNYT |
| Jan 09 | Jan2 | Jan09 | A2 |----------|
|----------| Jan2 | Jan09 | B1 | KYOM |
|----------| Jan2 | Jan09 | B2 | TYHU |
+--------+---------+---------+--------+------+

There is 1 and only 1 common field in the two searches, in the example the date match but is only for testing, it really never match. My search is like:

I'm not using a single stats because it groups same name in 1 row (multivalue), and I need each result on its own row. Even tho they have same name, they are different events, that I'll evaluate per row after this table is generated.

Thanks.

Re: How to merge rows with a common field?

richgalloway — Wed, 13 Mar 2019 23:42:06 GMT

You say you don't want to use a single stats, but have you tried doing so and then using mvexpand to put each result in its own row?

Re: How to merge rows with a common field?

ndaniel88 — Thu, 14 Mar 2019 00:47:23 GMT

That's the thing, I don't know how to do so. I've tried m expand, but I guess I didn't do it correctly, I don't know how to use it to achieve my goal.

Re: How to merge rows with a common field?

moonmk — Thu, 14 Mar 2019 01:01:18 GMT

Try it. "join" use

index=main
| stats count by Date1 , Date2, Date3 , name , Doc
| join type=outer name [search index=other
| stats count by Date1 , Date2, Date3 , name , Doc ]
| table Date1 , Date2, Date3 , name , Doc

Re: How to merge rows with a common field?

HiroshiSatoh — Thu, 14 Mar 2019 02:24:44 GMT

I think the example is strange ...

If you concatenate Doc using name to data that Doc does not exist

(your search)
|streamstats count as no|eval no=if(isnull(Doc),0,no)
|stats list(*) as * by name
|fillnull value="" 
|mvexpand Date1
|table Date1,Date2,Date3,name,Doc

Re: How to merge rows with a common field?

ndaniel88 — Thu, 14 Mar 2019 14:46:59 GMT

I prefer not to use join due performance issues. Thanks

Re: How to merge rows with a common field?

ndaniel88 — Thu, 14 Mar 2019 14:47:48 GMT

Why strange? that's exactly how my data looks, but with real data, lol.

Anyways, your answer works like a charm, Thank you, I appreciate.